AEPD (Spain) - PS/00443/2021: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Spanish DPA recalled that the | The Spanish DPA recalled that the exercise of GDPR rights is free of charge. Asking a data subject to rectify their data following a spelling mistake breaches [[Article 12 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject purchased airline tickets on the website of the travel agency Vacaciones Edreams (controller). After detecting that there was an error in his name, he contacted the customer service to | A data subject purchased airline tickets on the website of the travel agency Vacaciones Edreams (controller). After detecting that there was an error in his name, he contacted the controller's customer service to have the mistake rectified. To make the change, the controller charged him an additional 50 euros. | ||
The data subject therefore filed a complaint with the French DPA which was transferred to the | The data subject therefore filed a complaint with the French DPA which was transferred to the Spanish DPA in accordance with [[Article 56 GDPR]]. | ||
The investigation revealed that an employee of the controller made a typo and that is why the data subject's name was misspelled. The controller announced that he had since taken steps to prevent this from happening again and that he had compensated the data subject. It also added that the rectification fee was, in turn, decided by the airline company - not by the travel operator. | |||
The investigation revealed that an employee of the controller made a typo and that is why the name was misspelled. The controller announced that he had since taken steps to prevent this from happening again and that he had compensated the data subject. | |||
=== Holding === | === Holding === | ||
The DPA considered that the rights of data subjects under the GDPR must be free. | The DPA considered that the rights of data subjects under the GDPR must be granted free of charge. This is all the more so when the correction does not imply the change of a passenger for another but simply rectify inaccurate data. The DPA considered that there was indeed a breach of [[Article 12 GDPR]] but, taking into account the measures taken by the controller to prevent this from happening again, the DPA considered the breach to be minor within the meaning of [[Article 83 GDPR|Article 83(2) GDPR]]. It therefore issued a warning to the controller. | ||
The DPA considered that there was indeed a breach of [[ | |||
== Comment == | == Comment == |
Revision as of 12:57, 14 March 2023
AEPD - PS/00443/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 15 GDPR Article 83(2) GDPR Article 56 GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | Edreams |
National Case Number/Name: | PS/00443/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ls |
The Spanish DPA recalled that the exercise of GDPR rights is free of charge. Asking a data subject to rectify their data following a spelling mistake breaches Article 12 GDPR.
English Summary
Facts
A data subject purchased airline tickets on the website of the travel agency Vacaciones Edreams (controller). After detecting that there was an error in his name, he contacted the controller's customer service to have the mistake rectified. To make the change, the controller charged him an additional 50 euros.
The data subject therefore filed a complaint with the French DPA which was transferred to the Spanish DPA in accordance with Article 56 GDPR.
The investigation revealed that an employee of the controller made a typo and that is why the data subject's name was misspelled. The controller announced that he had since taken steps to prevent this from happening again and that he had compensated the data subject. It also added that the rectification fee was, in turn, decided by the airline company - not by the travel operator.
Holding
The DPA considered that the rights of data subjects under the GDPR must be granted free of charge. This is all the more so when the correction does not imply the change of a passenger for another but simply rectify inaccurate data. The DPA considered that there was indeed a breach of Article 12 GDPR but, taking into account the measures taken by the controller to prevent this from happening again, the DPA considered the breach to be minor within the meaning of Article 83(2) GDPR. It therefore issued a warning to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 File No.: PS/00443/2021 IMI Reference: A56ID 149531- Case Register 163850 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated July 4, 2019 filed a claim with the French data protection authority (Commission Nationale de l'Informatique et des Libertès). The claim is directed against VACACIONES EDREAMS, S.L., with NIF B61965778 (hereinafter, EDREAMS). The reasons on which the claim is based are the following: The claimant states that he purchased some plane tickets on the website ***URL.1. After detecting an error in his name, he contacted the service of customer service to rectify the error. This modification motivated they made an additional charge on the bill of 50 euros. Consider that the person responsible would be complying with the provisions of art. 12.5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these (GDPR) in terms of the gratuity of the action carried out in under article 16 of this Regulation. In addition, the complaining party points out that in the confirmation of the reservation of the 7th of March 2019, despite having made the additional charge of 50 euros, the name It's still misspelled. Along with the claim, provide: - Capture email sent from address no-***EMAIL.1 to ***EMAIL.2, dated February 11, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.1” and the following text: "You can go now. Confirmed reservation GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original) Attached to this email is the reservation of a travel itinerary in which it appears as passenger "AAA." - Capture email sent from address no-***EMAIL.1a ***EMAIL.2, dated March 7, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.1” and the following text: "You can go now. Confirmed reservation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/14 GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original) Attached to this email is the reservation of a travel itinerary in which it appears as passenger "AAA." - Capture email sent from address no-***EMAIL.1a ***EMAIL.2, dated April 4, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.2” and the following text: "You can go now. Confirmed reservation GoVoyages booking reference: ***REFERENCE.2 (…)” (in French in the original). Attached to this email is the reservation of a travel itinerary in which it appears as passenger "AAA." - Copy of an invoice from GOVOYAGES in the name of A.A.A., dated February 11 of 2019, which contains a charge of 50 euros for a "Supplementary Service of flight”, Dossier number ***REFERENCE.1. SECOND: Through the "Internal Market Information System" (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the cross-border administrative cooperation, mutual assistance between States members and the exchange of information, the aforementioned claim was transmitted on the 14th September 2020 and was given a registration date at the Spanish Agency of Data Protection (AEPD) on September 16, 2020. The transfer of this claim to the AEPD is made in accordance with the provisions of article 56 of the GDPR, taking into account its cross-border nature and that this Agency is competent to act as main control authority, given that EDREAMS has its registered office and unique establishment in Spain. The data processing that is carried out affects interested parties in various Member states. According to the information incorporated into the IMI System, of In accordance with the provisions of article 60 of the GDPR, they act as “control authority concerned”, in addition to the French data protection authority data, the authority of Italy, the latter under article 4.22 of the GDPR, given that Data subjects residing in that Member State are likely to be substantially affected by the treatment object of this procedure. THIRD: On December 10, 2020, in accordance with article 64.3 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD), the claim was admitted for processing submitted by the complaining party. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/14 1. Regarding the procedure established by EDREAMS to address the rights of rectification of personal data of its clients of ***URL.2 The representatives of EDREAMS declare that the rights to rectify personal data, as well as those of any other personal data right, centralized from the Privacy Form. In this way, it is easier for users the exercise of said exercises, through this easily accessible and linked tool with the Privacy Policy. This form allows, in turn, to automate part of the process, in which a XXXXXXXX ticket (exclusively conditioned to the fact that specialized agents in the management of said rights can confirm the information and have sufficient guarantees that the person claims to be who he is and/or that the representation of a third party is sufficiently accredited), and subsequently connects with the appropriate departments, according to the right exercised. Once the appropriate actions have been carried out, we proceed to respond to the interested in agreement following an internal guide. In this case, apply the guide of the right of rectification. Likewise, clients can exercise their rights by any means they consider timely, as the claimant made it by telephone with his customer service team to the client. Call center agents have an internal policy that they must follow In the event that the exercise of any personal data right is requested, in the terms described above. 2. Regarding the quota established to attend said rectification of data The right to rectify data, as well as any other right included in the personal data protection regulations, is free. 3. Regarding the procedure established to correct errors in the name of the pa- passenger on a ticket purchased through ***URL.2 indicating the fare to be paid nar the client The client can mainly fill in the Privacy Form or call the service of customer service. The department that centralizes rights management will contact, on a case-by-case basis, the departments that own the systems where the find the data and proceed to take the appropriate action. In this case, the correction of an error in the passenger name of a ticket, the change will be made in our systems, as well as in that of the corresponding airline, according to its terms and conditions. There is no associated fee to proceed with said correction of errors on behalf of the passenger by EDREAMS. 4. Regarding whether data rectification is considered to be the correction of an error in the name appearing on tickets purchased through ***URL.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/14 In accordance with EDREAMS internal policies, the correction of an error in the name that appears on tickets purchased on their web pages, under the terms occurred in the case of the complaining party, it is considered an area within the content of the right of rectification. Any change that does not imply the change of one passenger for another, must be understood as an exercise of the right of rectification and, therefore, must be treated free. Examples of this, and which are included in the internal policy, are: the typographical error (such as XXXXX, for XXXXX), the inversion between first name and last name (XXXXX, for XXXXX), or the change of surnames from maiden/or to married/or, or vice versa (especially common in certain countries, such as France or the United Kingdom). 5. In relation to whether the entity is aware of the exercise of the right to rectify data of the complaining party and reason for which a charge of €50 has been invoiced After internal investigations, it has been verified that indeed on 14 March 2020, the claimant was mistakenly charged 50 euros. EDREAMS has proceeded to request the claimant's bank details to correct the manual mistake caused by the agent when handling the request and, in this way, proceed to make the transfer for an amount of 15 euros. Unfortunately, XXXXX, like most airlines, imposes charges relating to any name change. On this occasion, the costs of said Change is 35 euros. On the other hand, on January 21, 2021 (the day after the notification of the requirement of this Agency), have taken advantage of this error to notify both the agent who handled the claimant's request, like the rest of the agents, the policy regarding correction of errors in names. FIFTH: On December 10, 2021, the Director of the AEPD adopted a draft decision to initiate disciplinary proceedings. following the process established in article 60 of the GDPR, that same day it was transmitted through the IMI system this draft decision and the authorities concerned were informed that they had four weeks from that moment to formulate pertinent objections and motivated. Within the term for this purpose, the control authorities concerned shall not presented pertinent and reasoned objections in this regard, for which reason it is considered that all supervisory authorities agree with said draft decision and are bound by it, in accordance with the provisions of section 6 of the Article 60 of the GDPR. This draft decision, which was notified to EDREAMS in accordance with the rules established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on the 10th of December 2021, as stated in the acknowledgment of receipt in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/14 SIXTH: On April 21, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against EDREAMS in order to issue a warning, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged violation of Article 12 of the GDPR, typified in Article 83.5 of the GDPR, in which he was indicated that he had a period of ten days to submit claims. This start-up agreement, which was notified to EDREAMS in accordance with the rules established in the LPACAP, was collected on April 21, 2022, as stated in the acknowledgment of receipt in the file. SEVENTH: On May 5, 2022, it is received at this Agency, on time and form, letter from EDREAMS in which it alleges allegations to the start-up agreement in the which, in summary, stated that: 1.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS EDREAMS centralizes the management of the exercise of rights (including the right to rectification) through its Privacy Form. The Privacy Form allows, in turn, to automate part of the process, in which a case is opened in the internal management tool. Said request is exclusively conditioned to the fact that the agents specialized in the management of these rights can confirm the information and there are sufficient guarantees that the person claims to be who they are and/or that the representation of a third party is sufficiently accredited (normally the confirmation goes through the fact that the client, who receive a verification email, confirm in your personal email registered in our systems that have applied for the corresponding entitlement). After said confirmation, connects with the appropriate departments, according to the right exercised. Finally, a Once the necessary actions have been carried out, we proceed to respond to the interested in accordance with an internal guideline. In this case, apply the internal guidance of the right of rectification. All this in accordance with its Privacy Notice and its internal Privacy Policy, as well as internal procedures; specifically the Internal Guide on the exercise of the right of rectification. Likewise, training and awareness actions are carried out by the Customer Support. Customers who contact customer service, and who want to exercise a right to data protection, they are informed of the Privacy Form, and if they they need, they are sent an email with the link to it so they can request your rights so that the specialized team can manage your request. 2.- EXERCISE OF THE RIGHT OF RECTIFICATION IN EDREAMS AGREEMENT WITH THE REGULATIONS In any case, the right to rectify data, as well as any other right included in the personal data protection regulations, is free. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/14 To correct the passenger's name, the customer can mainly fill in the Privacy Form or call customer service. In no case is there any associated fee to proceed with said correction of errors in the name of the passenger by EDREAMS. 3.- MANUAL ERROR BY THE AGENT AND PARTICULAR CONTEXT OF EDREAMS Following internal investigations, it was found that, indeed, on March 14, 2020 the EDREAMS agent mistakenly charged the complaining party. He got the airline mixed up and, according to the notes we have from the agent regarding the call, the agent did not make it clear to the complaining party that the cost was not a cost of EDREAMS but from the airline. As soon as the agent manual error was detected, the reviewed the policy again and all appropriate measures were put in place to prevent reproduced again (among others, an internal communication was sent to all agents remembering internal policy). In addition, they contacted Mr. A.A.A. to provide the bank details to carry out the corresponding reimbursement and you will be paid, not only the charge of 50 euros, but the entire trip in compensation concept. For all these reasons, EDREAMS considers that it acted diligently about it. On January 21, 2021 (the day after the notification of the requirement of this Agency), the Customer Service team took advantage of this error to notify both the agent who handled the claimant's request and the to the rest of the agents, the policy regarding the correction of errors in the names. Likewise, since then, the agents have had the annual protection training of data (carried out between the months of September and December 2021) in which one of the practical cases is the correction of errors in the name of passengers; and the annual review of internal policies, as well as various recurring communications remembering the mentioned correction. EDREAMS, in the context of its role as a travel agency that offers services international, suffers from a variety of airline policies with terms and conditions very varied conditions, which led the agent, together with his carelessness, to said error manual. The complaining party made a reservation for a XXXXX flight on one of the pages EDREAMS websites with a typo in their name. EDREAMS, as a travel agency, booked on behalf of the complaining party the flight, in the XXXXX systems, with the data provided by it. Saying treatment is carried out within the legitimizing basis of execution of the contract of in accordance with article 6.1.b of the GDPR. In this case, the roles, contractual relationships and responsibilities are summarized as continuation: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/14 1. EDREAMS acts as an agent, as an intermediary, on behalf of the client, and within its scope of management and systems, is responsible for the processing of personal data, since it determines the means and purposes of according to the agent contract. 2. XXXXX acts as air carrier and determines the means and purposes in this field, for which reason it is responsible for the treatment within the framework of the air transportation contract. EDREAMS informs its clients of said roles, contractual relationships and responsibilities, on its website. While the correction in EDREAMS systems is managed according to with article 16 of the GDPR, the correction in the systems of the airline (in this case of XXXXX) is managed when possible and is free of charge according to the Terms and Conditions of the airline. When EDREAMS cannot correct directly in the airline's systems, EDREAMS notifies the airline in accordance with Article 19 of the GDPR. In any case, EDREAMS cannot guarantee nor can it be held responsible for the rectification in the computer systems used by the airlines, since are governed by their own Terms and Conditions, and act as responsible for the processing of personal data. Of the hundreds of airlines that customers can book through the services EDREAMS travel agent, there is a disparity regarding the correctness of the number of passengers On many occasions, they are met with the refusal of the airlines to correct errors in the name or request a management fee. Unfortunately, most airlines ask for a fee or cost before a request to change the data of the passenger's owner. When you have to deal with airlines blocking name correction, EDREAMS insists on the application of data protection regulations, in defense of your clients. EDREAMS regrets what happened in this exceptional case, but understands that it is not must reproduce. He affirms that he works tirelessly to improve his processes, with the aim of not only complying with the regulations, but also strengthening the trust of its clients in us. For this reason, it will continue to monitor and continuously improve the policies, processes, actions and measures referred to herein. EIGHTH: On August 19, 2022, the investigating body of the procedure sanctioner formulated a proposal for a resolution, in which he proposes that the Director AEPD sends a warning to VACACIONES EDREAMS, S.L., with NIF B61965778, for a violation of article 12 of the GDPR, typified in article 83.5 of the GDPR. This proposed resolution, which was notified to EDREAMS in accordance with the rules established in Law 39/2015, of October 1, on Administrative Procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/14 Common Public Administrations (LPACAP), was collected on the 22nd of August 2022, as stated in the acknowledgment of receipt in the file. NINTH: Notification of the aforementioned resolution proposal in accordance with the rules established in the LPACAP and after the term granted for the formulation of allegations, it has been verified that no allegation has been received from EDREAMS. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: On February 11, 2019 an email was sent from the address no-***EMAIL.1 to ***EMAIL.2, dated February 11, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.1” and the following text: "You can go now. Confirmed reservation GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original) Attached to this email is the reservation of a travel itinerary in which it appears as passenger "AAA." SECOND: On February 11, 2019, GOVOYAGES issues an invoice in the name of A.A.A., which includes a charge of 50 euros for a "Supplementary Service of flight”, Dossier number ***REFERENCE.1. THIRD: On March 7, 2019, an email was sent from the address no-***EMAIL.1 to ***EMAIL.2, dated March 7, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.1” and the following text: "You can go now. Confirmed reservation GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original) Attached to this email is the reservation of a travel itinerary in which it appears as passenger “XXXXXXXXX”. FOURTH: On April 4, 2019, an email was sent from the address not- ***EMAIL.1a ***EMAIL.2, dated April 4, 2019, with the subject “Your reservation is confirmed (Reference ***REFERENCE.2” and the following text: "You can go now. Confirmed reservation GoVoyages booking reference: ***REFERENCE.2 (…)” (in French in the original). Attached to this email is the reservation of a travel itinerary in which it appears as passenger "AAA." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/14 FIFTH: The right to rectify data exercised before EDREAMS, as well as Any other right included in the personal data protection regulations, is gratuitous. In the present case, the correction of an error in the name of the passenger of a ticket, the change will be made in the EDREAMS systems, as well as in the company's corresponding airline, according to its terms and conditions. There is no any associated fees to proceed with such error correction on behalf of the passenger by EDREAMS. SIXTH: XXXXX imposes charges related to any name change. In it In the present case, the costs of said change were 35 euros. SEVENTH: On March 14, 2020, the EDREAMS agent collected the change in the name to the complaining party and failed to make it clear to the complaining party that the cost was not a cost of EDREAMS but of the airline. EIGHTH: As soon as this circumstance was detected, the policy was reviewed again and the An internal communication was sent to all agents on January 21, 2021 remembering the internal policy of correction of errors in the names. Likewise, the agents have had the annual data protection training (carried out between the months of September and December 2021) in which one of the cases practical is the correction of errors in the name of passengers; and the annual review of internal policies, as well as various recurring communications recalling the mentioned correction. NINTH: EDREAMS has proceeded to request the claimant's bank details. rios to make the corresponding refund and pay you, not just the charge of 50 eu- rivers, but the entire trip as compensation. FUNDAMENTALS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "Procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/14 II previous questions In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is the processing of personal data, since EDREAMS performs the collection of, among other personal data of natural persons, name and surname and email, among other treatments. EDREAMS carries out this activity in its capacity as data controller, given who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR. In addition, it is a cross-border treatment, since EDREAMS is established in Spain, although it provides services to other countries of the Union European. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the authority of main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or of the only establishment of the person in charge or of the The person in charge of the treatment will be competent to act as control authority for the cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. In the case examined, as has been exposed, EDREAMS has its only establishment in Spain, so the Spanish Agency for Data Protection is competent to act as the main supervisory authority. For its part, the right to rectify personal data is regulated in the article 16 of the RGPD and the modalities of exercise of the rights of the interested parties are detailed in article 12 of the GDPR. II Allegations adduced to the initiation agreement In relation to the allegations adduced to the agreement to initiate this disciplinary procedure, EDREAMS alleges that after the internal investigations verified that, indeed, on March 14, 2020, the EDREAMS agent collected by mistake to the complaining party. It alleges that this agent confused the airline and did not make it clear to the party complainant that the cost was not a cost of EDREAMS but of the airline. But as soon as the agent's manual error was detected, the policy was revised new and an internal communication was sent to all the agents reminding the policy internal. Likewise, Mr. A.A.A. to provide the data bank to make the corresponding reimbursement and will be paid, not only the charge of 50 euros, but the entire trip as compensation. For all this, considers EDREAMS to have acted diligently in this regard. It is also alleged that, since then, the officers have undergone the annual training of data protection (carried out between the months of September and December 2021) in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/14 which one of the practical cases is the correction of errors in the name of passengers; and the annual review of internal policies, as well as various communications recurring recalling the aforementioned correction. In this regard, this Agency wishes to point out that it positively values the measures adopted by EDREAMS to prevent the error that occurred in the present case not be reproduced again and that the complaining party be compensated for the collection improper. However, it is undeniable that, regardless of the policy of the airlines Regarding the name change of the passengers, EDREAMS charged the party claimant a charge for having rectified what the company itself recognizes as erratum. It is true that EDREAMS cannot be held responsible for the collection that carried out in this sense by the airlines in question (in the present case, XXXXX), but In the present case, the truth is that part of that payment corresponded to the efforts carried out by EDREAMS, as the company acknowledges. And that, furthermore, I don't know had duly informed the claiming party of the breakdown of said collection. For all the foregoing, this claim is dismissed. IV. Right of rectification Article 16 "Right to rectification" of the GDPR establishes: "The interested party shall have the right to obtain without undue delay from the person responsible for the processing the rectification of inaccurate personal data concerning you. Taking into account the purposes of the treatment, the interested party will have the right to complete personal data that is incomplete, including through a additional statement”. In the present case, it is clear that the complaining party had made a purchase of tickets through the EDREAMS website and, upon receiving them, verified that there were an error in his name, for which he requested EDREAMS to correct such error, duly exercising your right to rectify your personal data. V Modalities of exercise of the rights of the interested party Article 12 "Transparency of information, communication and modalities of exercise of the rights of the interested party" of the GDPR, in its section 5, establishes: "5. The information provided under articles 13 and 14 as well as any communication and any action carried out under articles 15 to 22 and 34 they will be free of charge. When the requests are manifestly unfounded or excessive, especially Due to its repetitive nature, the data controller may: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/14 a) charge a reasonable fee based on administrative costs faced to facilitate the information or communication or carry out the action requested, or b) refuse to act on the request. The controller shall bear the burden of proving the character manifestly unfounded or excessive of the request”. In the present case, it is clear that the claimant was charged €50 for correcting a typo in his name, without proving that such request had been manifestly unfounded or excessive. Therefore, according to the evidence available at this time resolution of the disciplinary procedure, it is considered that the known facts constitute an infringement, attributable to EDREAMS, for violation of the Article 12 of the GDPR. SAW Classification of the infringement of article 12 of the GDPR If confirmed, the aforementioned infringement of article 12 of the GDPR could lead to the commission of the offenses typified in article 83.5 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: (…) j) The requirement to pay a fee to provide the data subject with the information to which referred to in articles 13 and 14 of Regulation (EU) 2016/679 or by Respond to the requests for the exercise of the rights of the affected parties provided for in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/14 articles 15 to 22 of Regulation (EU) 2016/679, apart from the assumptions established in its article 12.5. (…)” VII Penalty for violation of article 12 of the GDPR Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides in section 2.b) of article 58 "Powers" the following: "Each control authority will have all the following corrective powers indicated below: (…) b) send a warning to any person in charge or person in charge of the treatment when the processing operations have infringed the provisions of the this Regulation; (…)” For its part, recital 148 of the GDPR indicates: “In the event of a minor infraction, or if the fine likely to be imposed constitutes a disproportionate burden on a natural person, rather than sanction by means of a fine, a warning may be imposed. should however special attention should be paid to the nature, seriousness and duration of the infringement, to its intentional nature, to the measures taken to alleviate the damages suffered, to the degree of responsibility or any relevant prior infringement, to the manner in which that the supervisory authority has become aware of the infringement, to compliance of measures ordered against the person in charge or in charge, to adherence to codes of conduct and any other aggravating or mitigating circumstances.” According to the evidence available at the present time of disciplinary procedure resolution, it is considered that the offense in question is slight for the purposes of article 83.2 of the GDPR given that in the present case, taking into account that there is no record in this EDREAMS Agency for having charged to the interested party when exercising their right of rectification and that, as soon as they had knowledge of the claim, EDREAMS proceeded to return the amount collected for the rectification of the name to the claiming party as well as the rest of the ticket to compensation mode and took steps to prevent such an incident from could occur again, it can be considered a reduction of guilt in the facts, for which reason it is considered in accordance with the law not to impose a consistent sanction in an administrative fine and replace it by directing a warning to EDREAMS. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ADDRESS VACACIONES EDREAMS, S.L., with NIF B61965778, for a infringement of article 12 of the GDPR, typified in article 83.5 of the GDPR, a warning. SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/14 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-120722 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es